Over 4000 Android Apps Expose Millions Of Users' Data via Misconfigured Firebase Databases

Over 4000 Android Apps Expose Millions Of Users' Data via Misconfigured Firebase Databases

Security researcher, Bob Diachenko found that 4,282 Android apps that use Google's Firebase are leaking users' personal sensitive data includes their usernames, passwords, phone numbers, email addresses, IP addresses, location data, and chat messages.

Bob Diachenko also found that around 4.8% of Android apps are not properly secured due to misconfiguration and that allows anyone to access database which contains users' private sensitive information without a password or any other type of authentication.

Google's Firebase is a popular mobile and web application development platform. It offers various functionality like analytics, databases, file storage, authentication, fix issues, in-app messaging, and etc. Google's Firebase services used by 30% of all Android apps.

Misconfigured apps cover education, entertainment, games, travel, local, and business categories. Also, these misconfigured apps found to be installed by 4.22 B times by users. If users use one of the misconfigured apps then it may pose a risk to the user's security and privacy.

Firebase is also a cross-platform tool and because of that researcher said that the misconfigurations are also impacting iOS and web apps as well.

The exposed data includes :

1) Usernames : 44,00,000+
2) Passwords : 10,00,000+
3) Full Names : 1,83,00,000+
4) Phone Numbers : 53,00,000+
5) Email Addresses : 70,00,000+
6) Street Addresses : 5,60,000+
7) GPS Data : 62,00,000+
8) IP Addresses : 1,56,000+
9) Chat Messages : 68,00,000+

Over 4000 Android Apps Expose Millions Of Users' Data via Misconfigured Firebase Databases

Security researchers analyzed around 1,55,066 Firebase apps and found that 11,730 apps had publicly exposed databases and out of 11,730 apps 9,014 apps even included write permissions and because of that, an attacker can inject malicious data into an app, spread malware, and corrupt the application database.

Out of 11,730 exposed apps, 4,282 apps leaked users' personal sensitive data. An attacker can easily find, view, and download the contents of exposed databases in JSON format by simply appending "/.json" to the end of a database URL (Ex. https://project-name.firebaseio.com/.json).

Over 4000 Android Apps Expose Millions Of Users' Data via Misconfigured Firebase Databases

Google removes these exposed Firebase database URLs from its search results. However, these exposed Firebase databases are still indexed by other search engines like Bing, Yahoo, etc.

Leaving a database without a password is an open invitation for attackers. So, It is recommended to app developers that don't store a password in plain text, prevent unauthorized access, and implement proper firebase database rules.

It is also recommended to the users that be aware of what information you share with an app, and use only reputable and trusted apps after checking reviews.

If you have any questions related to Firebase data leak and also want to share your views on this then please mention in the comments box and I will get back to you and stay tuned with my blog.

2 comments:

  1. Hello, I want to know how to check if my credentials has been breached.
    I use firebase a lot for many things, so how can I check if it has been breached. Thanks

    ReplyDelete
  2. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. hikedatabase.com/united-states/hiking-in-rhode-island/

    ReplyDelete

Powered by Blogger.